POSTALBRIDGE DATA-PROCESSING ADDENDUM (DPA)
Last Updated — Feb 1 2026
Read Carefully
This Data-Processing Addendum (“DPA”) supplements the PostalBridge Operator Agreement between Lumivo, LLC d/b/a PostalBridge (“PostalBridge”) and the undersigned business location (“Operator”). It applies whenever Operator processes Personal Data on behalf of PostalBridge.
Summary (For Convenience Only)
|
This summary is for readability only and does not change the DPA. If there is any conflict, the DPA controls.
|
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person received via the PostalBridge Platform. |
| Processing | Any operation performed on Personal Data (e.g., collection, storage, access, use, disclosure, transmission, deletion). |
| Applicable Law | All privacy, data-protection, and cybersecurity laws applicable to the Parties and the Processing, including (as applicable) US state privacy laws (including CCPA/CPRA), Canadian federal/provincial privacy laws (including PIPEDA and Québec Law 25), and any implementing regulations. |
| Controller / Processor | Meanings given in GDPR Art. 4. PostalBridge is the Controller; Operator is the Processor (or Sub-processor when PostalBridge acts as a Processor for its Customers). |
| Sub-processor | Any third party engaged by Operator that may Process Personal Data. |
| Personal-Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. |
2. Subject Matter; Purpose; Duration
- Subject matter. Processing of Personal Data to provide mail receipt, exterior scanning, storage, forwarding, shredding, and enabled add-ons (the “Services”).
- Duration. The term of the Operator Agreement plus any retention period required by Applicable Law and permitted instructions.
- Categories of data subjects. Customers, mailbox recipients, authorized users, and other individuals whose Personal Data is included in mail items or related records.
- Types of Personal Data. Identity and contact information, mail metadata, scans/images, instructions/communications, and compliance/verification records as applicable to the Services.
3. Roles; Instructions; Use Restrictions
- Instructions-only. Operator shall Process Personal Data only on documented instructions from PostalBridge and only as necessary to provide the Services. Instructions include this DPA, the Operator Agreement, and in-Platform or written operational directions.
- Legality notice. Operator will promptly inform PostalBridge if it believes an instruction infringes Applicable Law (and will not carry out the instruction until clarified, unless legally required).
- US service provider / processor restrictions. Operator shall not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the Services for PostalBridge under this DPA; or (c) use Personal Data for Operator’s own commercial purposes, advertising, marketing, analytics, profiling, or product improvement unrelated to Services. Operator shall not combine Personal Data received from PostalBridge with Personal Data from other sources except as expressly permitted in writing by PostalBridge. Operator certifies it understands and will comply with these restrictions and will promptly notify PostalBridge if it can no longer comply.
4. Security Measures
- Operator shall implement and maintain appropriate administrative, technical, and physical safeguards designed to protect Personal Data and provide a comparable level of protection to PostalBridge’s requirements.
- Access controls. Least-privilege access, unique user accounts, and prompt access removal for separated personnel.
- Encryption. Encrypt Personal Data in transit (TLS 1.2+) and at rest where electronically stored and supported by systems used.
- Confidentiality. Ensure personnel with access are bound by written confidentiality obligations.
- Physical safeguards. Locked storage and controlled-access mail handling areas; commercially reasonable surveillance (e.g., CCTV) for mail areas.
- Secure disposal. Secure shredding/disposal for printed or physical Personal Data when no longer needed for Services, consistent with instructions and Applicable Law.
5. Sub-processors
- No subcontracting without consent. Operator may not engage any Sub-processor that will Process Personal Data without PostalBridge’s prior written consent.
- Flow-down terms. Operator must execute a written agreement with each approved Sub-processor imposing protections at least as protective as this DPA, including the same “no sell/share” and “no retain-use-disclose outside Services” limitations.
- Liability. Operator remains fully responsible for each Sub-processor’s acts and omissions.
6. Data Subject Rights
Operator shall promptly assist PostalBridge, to the extent reasonably possible, in fulfilling verified requests to access, correct, delete, or port Personal Data, or to object/restrict Processing, as required by Applicable Law.
If Operator receives any request directly from an individual, Operator shall not respond (except to confirm receipt) and must forward it to PostalBridge within 48 hours, unless PostalBridge provides written instructions to respond.
7. Personal-Data Breach
- Notice deadline. Operator will notify PostalBridge without undue delay and in any event within 24 hours after becoming aware of a Personal-Data Breach.
- Details. Operator will provide available details on the nature of the incident, affected records, likely consequences, mitigation steps taken, and planned corrective actions, and will provide updates as information becomes available.
- No external notice. Operator shall not notify any regulator, individual, or third party about a breach without PostalBridge’s prior written approval unless Operator is legally required to do so (and, where permitted, Operator will give advance notice to PostalBridge).
8. DPIAs; Cooperation; Audit
- DPIA support. Operator shall provide information reasonably necessary for PostalBridge to complete a data protection impact assessment when required by Applicable Law.
- Audit. PostalBridge (or an independent auditor bound by confidentiality) may audit Operator’s compliance with this DPA once per year on 30 days’ notice, and additionally following a Personal-Data Breach or credible compliance concern. Audits will be conducted during normal business hours and in a manner designed to minimize disruption.
9. International / Cross-Border Transfers
Operator shall not transfer, remotely access, or permit access to Personal Data outside the jurisdiction where it was collected unless expressly authorized in writing by PostalBridge.
Where Québec personal information is involved, Operator shall provide information reasonably requested by PostalBridge to support any required privacy impact assessment and shall sign any additional transfer terms PostalBridge requires before any cross-border Processing occurs.
10. Return or Deletion
Upon termination of the Operator Agreement (or earlier upon PostalBridge’s request), Operator shall, at PostalBridge’s choice, return or securely delete all Personal Data (including copies) unless retention is required by Applicable Law. Operator will provide written confirmation of deletion upon request. Routine backups may be retained only to the extent required by standard automated archival processes, subject to ongoing confidentiality and access restrictions.
11. Liability; Indemnity
Operator will indemnify PostalBridge for claims arising from Operator’s breach of this DPA. Liability caps (if any) follow the Operator Agreement, except where prohibited by Applicable Law.
12. Order of Precedence
In the event of conflict, this DPA prevails over the Operator Agreement with respect to Personal-Data Processing.